[Freeipa-users] DNS service fails to start on replica master
Jeff Goddard
jgoddard at emerlyn.com
Thu Jan 5 18:33:01 UTC 2017
I re-read and walked through the troubleshooting steps. I have a mismatch
in Key Version Numbers in the keytab file:
Trying to renew the keytab file results in this error:
Failed to parse result: PrincipalName not found.
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.
Failed to get keytab!
Failed to get keytab
Using simple authentication does work but I would prefer to find a solution
to the Kerberos problem. Do you have any further suggestions?
Thanks,
Jeff
On Thu, Jan 5, 2017 at 11:50 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
> On 01/05/2017 04:11 PM, Jeff Goddard wrote:
>
> I'm starting a new thread rather than continuing to submit under:
> https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
>
> My problem is that I cannot get the DNS service to start on one of my
> replica masters. From the previous message thread:
>
> Hello,
>
> could you check this link https://fedorahosted.org/bind-
> dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials
> :bindtoLDAPserverfailed
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
> Martin
>
> Reading the article and following the steps I get this as a result of:
>
> ipa privilege-show 'DNS Servers' --all --raw
>
> dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
> cn: DNS Servers
> description: DNS Servers
> member: krbprincipalname=DNS/id-management-1.internal.emerlyn.
> com at INTERNAL.EMERLYN.COM,cn=services,cn=accounts,dc=
> internal,dc=emerlyn,dc=com
> member: krbprincipalname=ipa-dnskeysyncd/id-management-1.
> internal.emerlyn.com at INTERNAL.EMERLYN.COM,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com
> member: krbprincipalname=DNS/idmfs-01.internal.emerlyn.com at INTERNAL.
> EMERLYN.COM,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
> member: krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal.
> emerlyn.com at INTERNAL.EMERLYN.COM,cn=services,cn=accounts,
> dc=internal,dc=emerlyn,dc=com
> member: krbprincipalname=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn.com at INTERNAL.EMERLYN.COM,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com
> member: krbprincipalname=DNS/id-management-2.internal.emerlyn.
> com at INTERNAL.EMERLYN.COM+nsuniqueid=be8eda7e-fcd311e5-
> 859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
> member: krbprincipalname=DNS/id-management-2.internal.emerlyn.
> com at INTERNAL.EMERLYN.COM,cn=services,cn=accounts,dc=
> internal,dc=emerlyn,dc=com
> memberof: cn=System: Read DNS Configuration,cn=permissions,
> cn=pbac,dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Write DNS Configuration,cn=permissions,
> cn=pbac,dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Add DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,
> dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Read DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Remove DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
> memberof: cn=System: Update DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
> objectClass: top
> objectClass: groupofnames
> objectClass: nestedgroup
>
> From the previous thread's logs, it seems there is an issue when
> bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin
> posted has some good advice on how to troubleshoot this.
>
> I don't understand whether you went through the steps and identified any
> issue.
>
> Does your setup use simple authentication or Kerberos?
> When you try to manually set named.conf to use the other option, does it
> work?
> Are you able to authenticate to LDAP using these methods in commands like
> ldapsearch?
>
> Jeff
>
>
>
> --
> Tomas Krizek
>
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/48e1478c/attachment.htm>
More information about the Freeipa-users
mailing list